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Abstract —The Korkine-Zolotareff (KZ) reduction has been 
nsed in commnnications and cryptography. In this paper, we 
modify a very recent KZ reduction algorithm proposed by Zhang 
et al., resniting in a new algorithm, which can be much faster 
and more numerically reliable, especially when the basis matrix 
is ill conditioned. 

Index Terms —Lattice redaction, SVP, LLL reduction, KZ 
reduction, numerical stability. 

I. Introduction 

Eor any full column rank matrix A G the lattice 

E{A) generated by A is defined by 

C{A) = {Aziz G Z”}. (1) 

The columns of A form a basis of £(A). Eor any n > 2, 
C{A) has infinity many bases and any of two are connected 
by a unimodular matrix Z, i.e., Z G and det(Z) = ±1. 

Specifically, for each given lattice basis matrix A G 
AZ is also a basis matrix of C{A) if and only if Z is 
unimodular, see, e.g., m. 

The process of selecting a good basis for a given lattice, 
given some criterion, is called lattice reduction. In many 
applications, it is advantageous if the basis vectors are short 
and close to be orthogonal m. Eor more than a century, lattice 
reduction have been investigated by many people and several 
types of reductions have been proposed, including the KZ 
reduction ||2l, the Minkowski reduction lO, the LLL reduction 
H and Seysen’s reduction 0 etc. 

Lattice reduction plays an important role in many research 
areas, such as, cryptography (see, e.g., ©) , communications 
(see, e.g., ID, Q) and GPS (see, e.g., 0), where the closest 
vector problem (CVP) and/or the shortest vector problem 
(SVP) need to be solved; 


min \\y-Ax\\l, 

(2) 

min IIAtcjjn. 

a:GZ"\{0} " 

(3) 


The often used lattice reduction is the LLL reduction, which 
can be computed in polynomial time under some conditions 
and has some nice properties, see, e.g., a for some latest 
results. In some communication applications, one needs to 
solve a sequence of CVPs, where y’s are different, but A’s are 
identical. In this case, instead of using the LLL reduction, one 
usually uses the KZ reduction 13 to do reduction, since sphere 
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decoding for solving these CVPs becomes more efficient, 
although the KZ reduction costs more than the LLL reduction. 

There are various KZ reduction algorithms, see, e.g., m, 
CD, oa, ID. Very recently, another KZ reduction algorithm 
was proposed in US- Like in Cl, the LLL-aided Schnorr- 
Euchner search strategy ca is used to solve the n — 1 SVPs 
in C3. But instead of using Kannan’s basis expansion method 
used in CD and m, it uses a new basis expansion method 
which is more efficient. 

In this paper, we will propose a new KZ reduction algo¬ 
rithm, which improves the basis expansion method proposed 
in C3. Like d, we assume floating point arithmetic with 
fixed precision is used in the computation. Numerical results 
indicate that the modified algorithm can be much faster and 
more numerically reliable. 

The rest of the paper is organized as follows. In section 
im we introduce the LLL and KZ reductions. In section Hn] 
we introduce our modified KZ reduction algorithm. Some 
simulation results are given in section|IV]to show the efficiency 
and numerical reliability of our new algorithm. Linally, we 
summarize this paper in section |V] 

In this paper, boldface lowercase letters denote column 
vectors and boldface uppercase letters denote matrices. Lor 
a matrix A, let aij be its {i,j) element and At-j^k-i be the 
submatrix containing elements with row indices from i to j 
and column indices from k to £. Denote ei = [1,0,..., 0]^, 
whose dimension depends on the context. 


II. LLL AND KZ Reductions 


Assume that A in (|D has the QR factorization 


A — [Qi, Q2] 


R 

0 


(4) 


where [Qi, Q2 ] G is orthogonal and R G R"^” is 

n m—n 

upper triangular. 

After the QR factorization of A, the LLL reduction H re¬ 
duces the matrix i? in (|4]i to .R through the QRZ factorization: 

cfnz = R, (5) 


where Q G R"^" is orthogonal, Z G Z"^" is unimodular 
and R G R"^" is upper triangular and satisfies the following 
conditions: 

|T*fc| < / = l,2,...,fc- 1 (6) 

fc = 2,3,...,n (7) 




where (5 is a constant satisfying 1/4 < 5 < 1. The matrix AZ 
is said to be LLL reduced. Equations (|6]l and d?) are referred 
to as the size-reduced condition and the Lovasz condition, 
respectively. 

Similarly, after the QR factorization of A, the KZ reduction 
reduces the matrix i? in (IHi to .R in (|5]l, where R satisfies (|6]l 
and 

\fii\= min ||Ri:„,z:na;|| 2 , * = l,...,n. (8) 

X £ 

The matrix AZ is said to be KZ reduced. Note that if a matrix 
is KZ reduced, it must be LLL reduced for 5 = 1. 


III. A MODIFIED KZ REDUCTION ALGORITHM 
In this section, we first introduce the KZ reduction algorithm 
given in ns, then propose a modified algorithm. 


A. The KZ Reduction Algorithm in ^IM 

Lrom the definition of the KZ reduction, the reduced matrix 
R satisfies both (|6ll and (l8]l. If the QRZ factorization in © 
gives R satisfying ©, then we can easily apply size reductions 
to R such that ® holds. Thus, in the following, we will only 
show how to obtain R such that © holds. 

The algorithm needs n — 1 steps. Suppose that at the end 
of step fc — 1, one has found an orthogonal matrix £ 

^ unimodular matrix £ ■^nxn upper 

triangular g such that 

(g(fe-l))TR_^(/c-l) ^ _R(fc-l) (9) 


where for i = 1,..., fc — 1, 


mm 

^ezn-i+i\{o} 


( 10 ) 


At step k, like uses the LLL-aided Schnorr-Euchner 

search strategy lfT4l to solve the SVP: 


a;!'') = arg 


\Ri. 


(k-i) 


k:n,k:n^\\2- 


( 11 ) 


Then, unlike other KZ reduction algorithms, 01 finds the 
unimodular matrix by expanding ^ basis for 


the lattice {R^.„ : x £ Specifically, ifTl first 

^ ^(r —fc+ 1 ) X (n—/c+ 1 ) 


*'k:n,k:n 

constructs a unimodular matrix Z 
whose first column is x^^\ i.e.. 


(fc) 




( 12 ) 


(fe) 


and then finds an orthogonal matrix Q to bring 


(k—1) 

Rk-n k-n^ back to an upper triangular matrix R 

=s'‘’. 

Based on © and (fH i, we define 

Q{k) ^ Q(.k- 1 ) 


Tfc_i 0 
(fc) 


0 Q' 


^(fc) ^ 


0 


(k-l) ^(k) 

'(k) 


R' 


^{k) _ ^(k-l) 


0 Z 


0 

(k) 


I.e., 

(13) 

(14) 

(15) 

(16) 


Here is orthogonal, R*-^^ is upper triangular and is 
unimodular. Then, combining © and (fH . we obtain 

RZ'^’^'^ = R^’^\ (17) 


At the end of step n — 1, we get R*-"”^!, which is just R 
in ©. In the following we explain why ® holds. 

Lrom ( f© and ( f© . it is easy to verify that for i = 1,..., fc. 


d(^) _ 


Ik-i 0 

s(fc) 


n T 




Ik-i < 

0 Z 


0 Q 

Then, from (f© and ([© . for i = 1,..., fc — 1, 


(18) 


\ ' I'} \ \ ' ‘I't \ 


l\r>{k-l) II 

..mm \\Rl.n,^:n^h 

ccGZ"—+1\{0} 


mm 

^eZ"->+i\{o} 


I f/ik) II 


where z = 


(k)\ 
' kk I 


Ik-i 0 
0 Z<'“> 

dk) 


-1 


X. Lrom ( [© . ([© . (f© and (f© . 

Tf{k-1) 'i^^k) 


= ||R' ei|| = ||(Q' yR''k.~i:nZ ei 

~ ll■^k■.n,k■.n■I II ~ 


□; gZ"-''+i\{0} 


I Tfik — l) II 

I : n, fe: n 112 


,, (k) ^ — (k) ^ ■, ,, 

min R (Z ) ^xlU 
cceZ"-'‘+i\{o} 

min 

2gZ"-'=+i\{0} 


(19) 


Thus (f© holds when k — 1 changes to k. Then, with R = 
we can conclude © holds. 

In the following, we introduce the process of obtaining 
the unimodular matrix Z in (f© jiroposed in if© . (There 
are some other methods to find Z , see, e.g., if© pp.l3].) 
Suppose that z = [p, q]'^ £ 1? and gcd(p, q) = d, then, there 
exist two integers a and b such that ap + bq = d. Obviously, 


U = 


p/d 

q/d 


-b 

a 


( 20 ) 


is unimodular and it is easy to verify that U = dei. 
Lrom (f© . we can conclude that 

gcd{x‘y\ , xfy = 1. 

fh') 

After getting x^ >, Z can be obtained by applying a 
sequence of 2 by 2 unimodular transformations of the form 

(f20l i to transform to ei, i.e., {Z = ei (see 

(f© l. Specifically they eliminate the entries of from the 
last one to the second one. The resulting algorithm for finding 
Z is described by Algorithm [1] and the corresponding KZ 
reduction algorithm is described by Algorithm |2] 

Here we make a remark. Algorithm |2] does not show how to 
form and update Q, as it may not be needed in applications. 
If an application indeed needs Q, then we can obtain it by 
the QR factorization of AZ after obtaining Z. This would be 
more efficient. 
















Algorithm 1 The Basis Expansion Algorithm in lfT3l 
1: for i = n — k, ... do 

2: find d = gcd(a;i, a;i+i) and integers a and b such that 

axi + bxi+i = d\ 


3: 

4: 

5: 

6 : 


set U = 


Xi/d —b 
Xi+ild a 


Xi = d; 


^ l:n,i+k—l-.i+k — ^ l:n,i+k—l-.i+kU ^ 

^l:i+k,i+k—l-.i+k — ^l:i-\-k,i-\-k—l-.i+k'^-> 

find a 2 by 2 Givens rotation G such that: 


7. —l: 2 +/c, 2 +fc—l:n ^■^i-\-k — l:i—k,i-\-k—l:m 

8 : end for 



Algorithm 2 The KZ Reduction Algorithm in ifTSll 
1: computer the QR factorization of A, see (|4|l; 

2: set Z — I; 

3: for A: = 1 to n — 1 do 

4: solve mina,gz"-'‘+i\{ 0 } \\Rk-.n,k-.nx\\l by the LLL- 

aided Schnorr-Euchner search strategy; 

5: apply Algorithm [T] to update R and Z; 

6 : end for 

7: perform size reductions on R and update Z 


B. Proposed KZ Reduction Algorithm 

In this subsection, we modify Algorithms [T] and |2] to get a 
new KZ reduction algorithm, which can be much faster and 
more numerically reliable. 

Eirst, we make an observation on Algorithm |2] and make 
a simple modification. At step k, if = ± ei (see O), 
then, obviously, the basis expansion algorithm, i.e.. Algorithm 
[T]is not needed and we can move to step k + 1. Later we will 
come back to this issue again. 

In the following, we will make some major modifications. 
But before doing it, we introduce the following basic fact, 
which can be found in the literature: Eor any two integers p and 
q, the time complexity of finding two integers a and b such that 
ap + bq = d = gcd(p, q) by the extended Euclid algorithm is 
bounded by (!l(log 2 (min{|p|, |g|})) if fixed precision is used. 

In Algorithm |2l after finding (see (fTTT i'). Algorithm 

[U is used to expand R^^^ ^ basis for the lattice 

{Rl^n]e-n^ ■ * ^ There are some serious draw¬ 

backs with this approach. Sometimes, especially when A is 
ill-conditioned, some of the entries of may be very large 
such that they are beyond the range of consecutive integers in a 
floating point system (i.e., integer overflow occurs), very likely 
resulting in wrong results. Even if integer overflow does not 
occur in storing large may still cause problems. One 
problem is that the computational time of the extended Euclid 
algorithm will be long according to its complexity result we 
just mentioned before. The second problem is that updating Z 
and R in lines 4 and 5 of Algorithm [T] may cause numerical 


issues. Large xt and Xi+i are likely to produce large elements 
in t/. As a result, integer overflow may occur in updating Z, 
and large rounding errors are likely to occur in updating R. 
Einally, R is likely to become more ill-conditioned after the 
updating, making the search process for solving SVPs in later 
steps expensive. 

In order to deal with the large x^^'> issue, we look at line 
4 in Algorithm 121 which uses the LLL-aided Schnorr-Euchner 
search strategy to solve the SVR Specifically at step k, to solve 
(fTTli . the ELL reduction algorithm is applied to R^^^ 




( 21 ) 


^(k) ^(k) 

where Q G ]^(n-/c-i-i)x(ra-fc+i) orthogonal, Z G 
'^(n-k+i)x{n-k+i) Qnimodular and R^ ^ is LLL-reduced. 
Then, one solves the reduced SVP by the Schnorr-Euchner 
search strategy: 

= arg min lli?^ (22) 

zGZ”-''+i\{0} 


(k) 

The solution of the original SVP is = Z 

Instead of expanding as done in Algorithm |2] 

^ /'t.j 

we propose to expand R > to a basis for the lattice 

{i? z : z G Z"“ + }. Thus, before doing the expansion, 
we update and Z^^^ by using the ELL reduction 

(EB; 






Ik-1 

0 Q 


0 

(fc) 


R^^^ = 


.(k-i) 


(k) 




0 R 

Ik-1 
0 z 


0 


(23) 

(24) 

(25) 


Now we do expansion. We construct a unimodular matrix 
Z^ ^ G whose first column is z(^\ and 

^ (k) '^(k — l)^(k) 

find an orthogonal matrix Q to bring R Z back to 

~ (fe) 

an upper triangular matrix R (cf. (I13b l: 


(Q^'- 


1(k—1)(k) ^ (k) 

r: ’z^ =k ’. 


(26) 


Then, we update R^^'^ and as follows (cf. (fl4ll - 

(ESll): 


(fc) _ 


= Q 

= 


Ik-1 0 


0 Q' 

0 R^‘ 


Z^^^ = z 


(fe-1) 


Ik-1 0 
0 


(27) 

(28) 
(29) 


and we obtain the QRZ factorization of R in the same form 
as dnii at step k. 

Unlike x^^^ in (fTTI) . which can be arbitrarily large, z^^') in 
(I 22 I 1 can be bounded. Actually by using the ELL reduction 
properties and the fact that 




< 


II i-(fc-i)| 

ei ||2 = |fji I 





























we can show the following result: 

Theorem 1: For l<i<n — fc + 1, the i-th entry of G 
jn-k+i ^-ggg (|2^ ) satishes 


,(fe)l 


< 


M<5- r 


(30) 


where 8 is the parameter in the LLL reduction (see (l7]i). 

Because of the limitation of space, we omit its proof. 

Now we discuss the benehts of the modihcation. First, since 

-(fc-i) 

R is LLL reduced, it has a very good chance, especially 
when R is well-conditioned and n is small (say, smaller than 
30), that = ±ei (see ^). This was observed in our 
simulations. As we stated before, the basis expansion is not 
needed in this case and we can move to next step. Second, 
the entries of are bounded according to Theorem [T] 
but the entries of are not. Our simulations indicated 
that the former are smaller or much smaller than the latter. 
Thus, the serious problems with using for basis expansion 
mentioned before can be significantly mitigated by using 
instead. 

To further reduce the computational cost, we look at the 
basis expansion process at step k of Algorithm 2. After z^^'^ 
is obtained. Algorithm 1 is used to hnd a sequence of 2 by 
2 unimodular matrices in the form of (|20] | to eliminate its 
entries form the last one to the second one. We noticed in our 
simulations that often z^^'> has a lot of zeros and we would 
like to explore this to make the basis expansion process more 
efficient. Specifically, if 2 ; = [p, q\'^ G 1? with q = Q, then 
gcd(p, q) = p, and [/ = J 2 in (l20l i. Thus, in this case we 
do not need to do anything and move to eliminate the next 
element in z^^\ 

Now we can describe the modihed KZ reduction algorithm 
in Algorithm [3 


IV. Numerical tests 

In this section, we compare the performance of the proposed 
KZ algorithm Algorithm|3with Algorithm|2] All the numerical 
tests were done by Matlab 14b on a desktop computer with 
Intel(R) Xeon(R) CPU W3530 @ 2.80GHzx4. The Matlab 
code for Algorithm |2] was provided by Dr. Wen Zhang, one 
of the authors of lfT3l . The parameter 6 in the LLL reduction 
was chosen to be 1. 

We first give an example to show that Algorithm |2] may not 
even give a LLL reduced matrix (for S = 1), while Algorithm 
13 does. 

Example. Let 


10.6347 

-66.2715 

9.3046 

17.5349 

24.9625' 

0 

8.6759 

-4.7536 

-3.9379 

-2.3318 

0 

0 

0.3876 

0.1296 

-0.2879 

0 

0 

0 

0.0133 

-0.0082 

0 

0 

0 

0 

0.0015 


Algorithm 3 Modihed KZ Reduction Algorithm 
1: computer the QR factorization of A, see (|4]l; 

2: set Z — I,k = 1; 

3: while fc < n do 

4: compute the LLL reduction of Rk-.n,k:n (see (l2lT i) and 

update i2, Z (see (l24b - (l25]) I: 

5: solve min^gzn-fe+i\{ 0 } \\Rk-.n,k-.nz\\l by the Schnorr- 

Euchner search strategy to get the solution 2 ; 

6: if 2 = ± ei then 

7: fc = fc + 1; 

8 : else 

9: i = n — k\ 

10 : while * > 1 do 

11: if Zi+i ^ 0 then 

12: perform lines 2-7 of Algorithm [T] (where Xi and 

Xi+i are replaced by Zi and 2 ^+ 1 ); 

13: end if 

14: i = i — 

15: end while 

16: fc = fc -f 1; 

17: end if 

18 : end while 

19: perform size reductions on R and update Z. 


Applying Algorithm |3 gives 


R = 


-0.2256 

0 

0 

0 

0 


0.0792 0.0125 

0.2148 -0.0728 

0 0.2145 

0 0 

0 0 


0 0 
-0.0029 -0.0012 
0.0527 -0.0211 
-0.1103 0.0306 

0 0.6221 


It is easy to check that R is not LLL reduced (for 5 = 1) 
since rfg > r |4 + Moreover, the matrix Z obtained 
by Algorithm |3 is not unimodular since its determinant is 
—3244032, which was precisely calculated by Maple. The 
reason for this is that A is ill conditioned (its condition number 
in the 2-norm is about 1.0 x 10®) and some of the entries of 
a;(^) (see (fTTT i') are too large, causing severe inaccuracy in 
updating R and integer overflow in updating Z (see lines 4-5 
in Algorithm [T]). In fact, 

a;(i) = [-47, -27, -21, -14, -34]”^; 
a;(2) = [-48029, -27593, 2145, 345]^; 
a;(3) = [-2767925153, 432235, 40]”^; 
a; W = [691989751, 2]^. 

The condition numbers in the 2-norm of R{k : 5, fc: 5) obtained 
at the end of step fc = 1,2, 3,4 of Algorithm|3are respectively 
2.9 X 10®, 1.5 X 10^®, 6.2 x 10®® and 1.1 x 10. A question one 
may raise is that if A is updated by the unimodular matrices 
produced in the process (i.e., Z is not explicitly formed) is 
AZ LLL reduced? We found it is still not by looking at the 
R-factor of the QR factorization of AZ. 













Applying Algorithm [3 to A gives 



■-0.2256 

0.0792 

-0.0126 

0.0028 

-0.0621' 


0 

-0.2148 

0.0728 

-0.0084 

0.0930 

R = 

0 

0 

0.2145 

0.0292 

-0.0029 


0 

0 

0 

-0.2320 

0.0731 


0 

0 

0 

0 

-0.2959 


Although we cannot verify if H is KZ reduced, we can verify 
that indeed it is LLL reduced. All of the solutions of the four 
SVPs are ei (note that the dimensions are different). Thus, no 
basis expansion is needed. The condition numbers in the 2- 
norm of Il(k :5,k:5) obtained at the end of step fc = 1, 2, 3,4 
of Algorithm [3] are respectively 2.1,1.9,1.6 and 1.4. 

Now we consider two more general cases for comparing the 
efficiency of the two algorithms: 

« Case 1. A — randn(n,n), where randn(n,n) is a Mat- 
LAB built-in function to generate a random nxn matrix, 
whose entries follow the normal distribution N'{0, 1). 

• Case 2. A = UDV^, U,V are random orthogonal 
matrices obtained by the QR factorization of random 
matrices generated by randn(n, n) and D is a n x n 
diagonal matrix with da = 

In the numerical tests for each case for a fixed n we gave 
200 runs to generate 200 different A’s. Figures [T] and |2] display 
the average CPU time over 200 runs versus n = 2 : 2 : 20 
for Cases 1 and 2, respectively. In both figures, “KZ” and 
“Modified KZ” refer to Algorithms |2] and [3 respectively. 



Fig. 1. Average CPU time versus n for Case 1 

Figure gives the results for only n = 2 : 2 : 10. This is 
because when n > 12, Algorithm 2 often did not terminate 
within ten hours. 

In Case 1, sometimes Algorithm |2] did not terminate within 
a half hour and we just ignored this instance and gave one 
more run. The number of such instances was much smaller 
than that for Case 2. 

From Figures [U and |2] we can see that Algorithm |3] is faster 
than Algorithm |2] for Case 1 and much faster for Case 2. Also, 
when we ran Algorithm |2] we got a warning message ’’Warn¬ 
ing: Inputs contain values larger than the largest consecutive 



Fig. 2. Average CPU time versus n for Case 2 


flint. Result may be inaccurate” several times, for both Cases 
1 and 2 in the tests. But this did not happen to Algorithm [3 
Thus Algorithm [3 is more numerically reliable. 

V. Summary and comment 

In this paper, we modified the KZ reduction algorithm 
proposed by Zhang et al. in na. The resulting algorithm can 
be much faster and more numerically reliable. 

The modified basis expansion strategy proposed in this pa¬ 
per can be applied in designing algorithms for the Minkowski 
reduction (see, e.g., lfT3l l and the block KZ reduction (see lfT2ll 
and Uhl). 
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